39

Anti Spam Best Practices

Anti Spam Engine:

Time-Tested Scanning
An IceWarp White Paper

October 2008 www.icewarp.com

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

40

Background
The proliferation of spam will increase. That is a fact. Secure Computings July 2008 report reveals that numbers far exceeded global expectations. Spam rose 280% from July 2007 to July 2008. The years peakwasonMarch27,with185billionspammessagessentthatday. RadicatiGroupalsofoundthatbythecloseof2008,78%ofworldwide emailtrafficwillbespam.Thisfigurewillincreasesteadilyoverthenext fouryears,totaling83%in2012. According to Spamhaus, 80% of all internet spam comes from just 100 spamoperationsworldwide. It should be noted that spam laws are often ineffectual, for they are hardtoenforceandmanygovernmentschoosetoturnablindeye.

SpamLevels
As new spammers enter the fray and as all spammers refine their tactics, the threat to the business community will only rise. Spam is more than a nuisance because its management can cut sharply into a companysbottomline,andbecauseitcancarrymalware. Whiledifferentorganizationsrenderslightlydifferentresearchresults,it isclearthatbusinessesarehitbyspamthehardest. Considertheseadditionalstatistics: Sophos reveals that the percentage of spam in the averagebusinessserverreached96.5%byJune2008. NucleusResearchestimatesthatatleast90%ofallemail reachingcorporateserversisspam. Sophos finds that only one of every 28 emails received bybusinessislegitimate. Radicati Research Group reports that spam annually costs businesses $20.5 billion in technical expenses and decreasedproductivity. Nucleus Research calculates that companies annually lose$1,934peremployee,duetospam.

Spamrose280%fromJuly 2007toJuly2008. SecureComputing

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

41

WhatCanBeDoneAboutSpam?
Since there is no feasible way to eliminate spam, the best defense rests withsophisticated,aggressivefiltration.

AntiSpamEngineOverview
IceWarps builtin Anti Spam Engine is a powerful business tool that can be used to combat the everincreasing amount of internet spam. While this tools default settings already make for a powerful antispam solution, minor adjustments on the individual server can provide considerable more protection. The administrator can increase the accuracy of spam identification first by identifying the nature of incoming messaging, then by making necessary changes to the Anti Spammodule. For proper filtration, it is important to identify the different layers of IceWarpsAntiSpamEngine: RBLs (Realtime Blackhole Lists) RBLs are lists that check eachemailagainstknownspamservers. Bayesian Learning Engine Bayesian Learning Engines are dynamic, intelligent engines that teach the system about a servers email patterns. Antispam protocols can be finetuned to recognize email patterns that have been reviewed by trusted membersofthemailserver. Quarantine and Spam Folders with Email Reporting Quarantine and spam folders gives users the ability to monitor incoming messages without examining each item without filling uptheinbox.Inaddition,messagesdonotfilluptheinbox.This method uses whitelisting and gives the end user significant controlovertheirinbox. White Lists White Lists give end users control over the messages they receive. The system can be set to automatically approveaddressesthattheusersendsto,therebyensuringthat incoming email from those addresses are approved for the inbox,andwillnotbeflaggedasspamorbequarantined. Black Lists Black Lists give end users the ability to reject email fromdisapprovedaddresses.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

42 GreyListsWhenareceivingserverreturnsamessageasasoft failure, the sending server, if RFCcompliant, will always resend the message. However, most spammers configure their servers to not return such messages. Greylisting takes advantage of this by rejecting every initial connection to the server for a predetermined number of minutes, then accepting the resent message. While this can initially slow communication, communication speed will increase the longer Greylisting remains active, thus cutting down on the amount of spam. Some estimates indicate that spam can be reduced 70 percent usingthismethod. Miscellaneous Rules Using additional Rules, users can fine tune spam identification protocols in IceWarps Anti Spam Engine. These include, but are not limited to, charsetblocking, DNSresolution,andbyflaggingparticularemailformats. SpamAssassin IceWarp SpamAssassin is the heart of IceWarps Anti Spam Engine, a robust system that determines the spam value of all incoming messages by comparing it with a series of contentrules. SpamAssassins profiles remain current by updating regularly with the IceWarp's Anti Spam Server. A given emails spam score will increase with every violation that is identified. Once the score reaches the threshold that the emailadministratorestablishes,itwillbemarkedasspam. IceWarp SpamAssassin is open source, highly configurable and canbetailoredtofittheneedsofabusiness.

IceWarpdoesnotprovidearigid,narrowlydefinedspamsolutionforall users.Rather,thepoweroftheIceWarpAntiSpamisitsflexibility.Since there are many different kinds of email and the nature of incoming messages can change over time, no single solution is feasible. Therefore, the system administrator will need to monitor the system andmakeadjustmentsalongtheway. IceWarprecommendsthatthefollowingsettingsbeusedinconjunction with the IceWarp Anti Spam Engine. Please note that they do not requirelicensingofAntiSpamEngine.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

43

LockingDowntheServer
Locatedat[Mailservice][Security][Generaltab]

Figure1

Figure 1 illustrates a closed relay in the server. A closed relay rejects local unauthorized domains authorization and permits only the localhost of IP of 127.0.0.1 to send emails through the server. These settings prevent an unauthorized account from sending email through a server, and with the help of the SMTP log files, make it possible for an administrator to track down the spammer that is using a compromised account on the server. These settings permit the client software (such as Outlook or Thunderbird) With these settings in place the client software(suchasOutlookorThunderbird)wouldhavetousetheoption my server requires authentication in order to be able to send email through the Icewarp Email Server. There are times when it is necessary to add an IP address to the Trusted IPs and Hosts (When you have a webpage thatyouwish to beable tosendemailthroughyourserver,or if all client machines are within a local IP range, such as 192.168.*.*), but it is recommended to do this with caution if using any public IP addresses. When using the option for POP before SMTP, authentication is done through POP/IMAP connections, and will show only in those logs, not the SMTP log. This setting will authenticate the IP where the POP/IMAP connectionaccountloggedintothesystemforXnumberofminutes.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

44 While it is acceptable to use this setting, it does need to be turned on if the server has been compromised by a spammer sending out through the server. Administrators who experience a system compromise should go to http://esupport.icewarp.com, search for spammer relaying, and select the article, Possible Spammer Relaying through MyServer. They should then follow the steps provided in order to determine how thesystemwascompromised. To make certain that someone cannot breach the system and send messages to server accounts via the server domain name, administrators should select the option, Reject if originators domain is local and not authorized. This option prohibits spammers from spoofing legitimate accounts such as PostMaster and Admin, and will eliminateuncertaintyintheenduser.

DNSbasedBlocking
Locatedat[Mailservice][Security][DNStab]
A list of RBLs that can be used to check incoming email is available in the Anti Spam Engine settings. It helps with the marking and distribution of spam. However, a system administrator can also use these DNSBL lists in the Mail Securitysettingsinconjunctionwith the Intrusion Prevention settings in order to close the settings and reject the connection from known spammers. By closing and blocking the sessions at the IP level, an administrator can significantly lower the amount of traffic to the server because the CPU will not have to process every email through the Anti Spam Engine. Thus, the impact on the systemislessened.

Figure2

Figure 2 illustrates the suggested default email server settings. Notice that the only two DNSBL lists are used. IceWarp highly recommends
Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

45 that no more than be used. Since the system needs to check these lists for each email, more than two DNSBLs would result in a longer connectiontime.Oncethereisamatch,itnolongerneedstosearchfor others. This is not true for the RBL lists in SpamAssassin, where the systemmuchcheckagainsteverylist. Once the administrator selects the Reject options based on the rDNS, email coming into the system is limited to actual email domains. This keeps the server from accepting email from nonexistent domains, a common technique used by spammers, and domains that do not have proper reverse DNS resolution set up. This guarantees that the email coming from the IP associated with that domain and is not being spoofed.

IntrusionPrevention
Locatedat[SMTPService][Security][IntrusionPreventionTab]
TheIntPrsettingsblockconnections to the server according to different levels of suspicious activity. When a sender trips one of these options, their IP address is tagged as a blocked IP in the IntPr table. By default,itwillremainblockedfor30 minutes. After that time, a sender from the blocked IP can attempt to sendtotheserveragain. This ensures that IceWarp's Email Server will not be flooded but it does not permanently reject a communication attempt, in the event that the sending server is legitimate but merely compromised byavirusorisolatedspammer.This feature leaves the door open for future correspondence with the originating server once the problem hasbeenresolved.
Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

Figure3

Figure 3 illustrates a solid baseline for a systems initial setup. Those interested in learning more about each individual setting should navigate to this screen via the IceWarp Console,andthenhitF1topulluptheHelpfile. These settings are used because they address activitygenerallyusedonlybyspammers.

46 Caution: one of these settings should be used with care. Legitimate email might be blocked from clients who subscribe to the same mailing list. This can occur when there are multiple list subscribers, and if the system administrator selects the option, Block IP address that establishes a number of connections in 1 minute. Therefore, while it is a suggested setting, the email server postmaster should remain aware of this possibility, and be prepared to change or remove this setting in the event that ithappens.

AdvancedSecuritySettings
Locatedat[MailService][Security][AdvancedTab]
Very few of these settings will be usedasadefaultinstallation,butthey each serve a special purpose. As illustrated in figure 4, the security setting, Deny SMTP EXPN command, should be selected. SMTP EXPN commands can give attackers the ability to determine which accounts exist on the system. This would give them the means by which to execute a brute force attack on user accounts. EXPN provides additional user data, including identifying information, which should besafeguardedfromattackers.

Figure4

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

47

RecommendedIceWarpAntiSpamConfiguration

The following screenshots and details will help administrators set up the IceWarp Email Anti Spam Engine with suggested default settings. The discussion will include the reasoning behind the settings and the ways that an administrator can determine how to best customize those settings. If a particular setting herein is shown but not discussed, the default setting is suggested. Figure 5 illustrates the basic configuration of IceWarps Anti Spam Engine. It serves as a baseline, but consideration must be given to the nature of all outbound email and the classofbusinessdeployingtheserver. For instance, it is generally advisable for an ISP to scan all outbound email, while a small business can usually forego this option. In addition, the system administrator must determine if local accounts should be subject to antispam filtration. A small business might not need to subject local accounts to quarantines, white lists and black lists, while an ISP might seriously consider this option in order to keep its members safe from the spamming attempts of other members within thesamedomain. The [AntiSpam] Action settings possess the controls that tell the server how to differentiate the different levels of spam and how to deal with them according to their final SpamAssassin score. A system administrator will need to determine tagging, quarantine, rejectionanddeletionthresholds.
Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

Figure5

48 Figure 6 illustrates a low quarantine threshold and though a message might be quarantined at a low threshold, it might not be marked as spam unless it achieves a higher spamscore.

Figure6

Note that figure 6 does not include a rejection threshold, since rejecting spam can, at times, result in having a server blacklisted as a spam trap. Having the system add [Spam] to the subject line is an alternate option; in addition, the postmaster may simply decide to use the different levels of spam organization quarantineandspam. In order to use the spam folder (as opposed to the quarantine folder), a system administrator must select the appropriate option and integrate spam folders with the IMAP folder, and choose the IMAP folder to integrate with it. The spam folder can remain free of spam overload if theserverissettodeletespammessagesthatare7daysold. The system administrator can also use the Reports tab, indicated in figure 6, to create and email daily spam reports. These reports will indicate to users what messages were placed in the Quarantine and Spamfolders,givingusersmanualcontrol.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

49

SpamAssassin
Locatedat[Antispam][SpamAssassin]
The postmaster will be able to dictate what parts of the SpamAssassin Engine will be employed via the main screen. There are many options, andnotallofthemwillbeusedbyallemailservers. Please note that Razor2 technology is not selected in figure 7. A system administrator maychoosetoexcludethisoption since, upon receipt of a message, Razor2 queries the sending server for validation. While this tool is highly effective in identifying spam,itcanalsoslowdownemail communication and cause a backup of connections, which can bog down large installation servers. Administrators should use this setting and RBL lists with dueconsideration. Figure7
Razor2isadistributed,collaborative,spamdetectionandfiltering network.Throughusercontribution,Razor2establishesa distributedandconstantlyupdatingcatalogueofspamin propagationthatisconsultedbyemailclientstofilteroutknown spam.Detectionisdonewithstatisticalandrandomizedsignatures thatefficientlyspotmutatingspamcontent.Userinputisvalidated throughreputationassignmentsbasedonconsensusonreportand revokeassertionswhichinturnisusedforcomputingconfidence valuesassociatedwithindividualsignatures.

SourceForge.net Inorderforthistofunctionproperly,thesystem administratorwillneedtoopenupaccessthroughport 2703.Thisfunctionalitywillnotworkiftheportisnot open.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

50 As previously mentioned, RBL lists can reduce email processing and filtration speedsonbusiersystems.Thiswhitepaper alsostatedthatthoseusingDNSBLsshould limit the number of RBL and DNSBL checks to 3, and that the same RBLs used in the DNSBL security settings not be used in SpamAssassin. This measure will prevent the server from creating a redundant check and allow for faster filtration. Figure 8 illustrates the selection of only one RBL list,whereastwowereselectedinfigure2.

Figure8

AntiSpamBlackListandWhiteList
Offeringflexibilityinspamidentification,blacklistsandwhitelistsin IceWarpsAntiSpamEnginegiveendusersultimatecontroloftheir inboxes.

BlackLists:
IceWarpprovidestwomethodsofsettingupblacklists. By default, the installation sets it up so that blacklisting rejects emailifthesenderisblacklisted The other option is for the administrator to have the black list item add a defined score to the SpamAssassin total, and then deal with the email based on the global spam engine settings. (I.e.theenginewillsenditeithertoSpamorQuarantine,orelse rejectordeleteit).

WhiteLists:
While the black list engine is on by default, the white list engine needs to be turned on manually. Figure 9 illustrates the various whitelisting options.
Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

51 Forinstance,thesystemcanbeset to automatically whitelist trusted email recipients and senders in groupwareaddressbooks. Two notable settings that have not been selected in figure 9 are whitelist trusted IPs and authenticated sessions and Whitelistlocaldomainsenders. Thesetwosettingsare recommendedforindividual businessesandnotbyISPsthat hostemailforagreatmanyusers. Bychoosingtheseitems,all accountssentinternallywithin theserverwouldbetrustedand bypassedbythespamengine.

Figure9

Miscellaneous
Locatedat[Antispam][Miscellaneous]
The Miscellaneous tab in figure 10 contains settings that are used to modify the SpamAssassin score after initial scanning. The suggested practice on this is to use the default settings for all three tabs, only changing them withcaution. Shown in figure 10, the Content settings reflect common methods spammers use to trick antispam engines into believing spam is legitimate email. While noneofthesecriteria,individually,will causeamessage tobeclassifiedasspam,multipleviolationswill.

Figure10

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

52 Violations rarely occur in legitimate email, as 99% of all email clients properly format email in order to comply. Forinstance, spamisoftencomprisedofagraphic,with nobonafidetext. Phishers create email content that is comprised entirely of a link. Customarily, legitimate email includes links as merelyoneelementofmany.

Charset
The Charset tab gives administrators the ability to exclude certain types of email. Some spam contains foreign language, such as Russian or Chinese. If a server is spammed with this kind of email, the administrator can open up one of the messages, locate the charset line, and place that charset into the Forbidden charsets field shown in figure 11, thus blocking additional messagescarryingthestring.

Figure11

Sender
The optional settings available on the Sender tab will not be defaulted. Administrators should exercise care before selecting them and generally only if the item is the cause of a known problem.Seefigure12.
Figure12

The 3 settings available on the Sender tab will only block emails from unapproved clients, not those that are RFC compliant. However, if the originating server is older or belongs to a small company, it is possible for legitimate emailtobefilteredasspam.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.

53

Note
ThisdiscussioncontinuesinIceWarpswhitepaperentitled,AntiSpamLIVEService:ZeroHour Protection.

Anti Spam Engine: Time-Tested Scanning IceWarp 2008 All Rights Reserved.